本讲内容主要包括:
1:使用透明数据加密技术(TDE)加密和解密数据
2:数据泵导入导出加密,外部表加密
3:加密rman备份数据
4:使用虚拟专用数据库VPD
一:使用TDE,TDE使用密码学上的透明数据加密技术
方法一:简单使用TDE,但主密钥的密码不能更改,这种方式在密码位置不能使用引号包含
1. [oracle@rhel6 ~]$ mkdir $ORACLE_BASE/admin/$ORACLE_SID/wallet
2. [oracle@rhel6 ~]$ ls $ORACLE_BASE/admin/$ORACLE_SID/wallet
3.
4. SQL> alter system set encryption key identified by oracle123;
5. System altered.
6.
7. [oracle@rhel6 ~]$ ls $ORACLE_BASE/admin/$ORACLE_SID/wallet
8. ewallet.p12
9.
10. SQL> conn hr/hr
11. Connected.
12. SQL> create table t04315_a( a number encrypt);
13. Table created.
14.
15. SQL> insert into t04315_a values (1);
16. 1 row created.
17.
18. SQL> commit;
19. Commit complete
20.
21.
22. SQL> select * from dba_encrypted_columns;
23.
24. OWNER TABLE_NAME COLUMN_NAM ENCRYPTION_ALG SALT
25. ----- ---------- ---------- -------------------- ---------
26. HR T04315_A A AES 192 bits key YES
27.
28. SQL> select * from hr.t04315_a;
29.
30. A
31. ----------
32. 1
33.
34. SQL> alter system set encryption wallet close;
35. System altered.
36.
37. SQL> select * from hr.t04315_a;
38. select * from hr.t04315_a
39. *
40. ERROR at line 1:
41. ORA-28365: wallet is not open
42.
43.
44. SQL> insert into hr.t04315_a values (2);
45. insert into hr.t04315_a values (2)
46. *
47. ERROR at line 1:
48. ORA-28365: wallet is not open
方法二:使用owm程序生成ewallet.p12文件,需要修改sqlnet.ora文件,使用这种方式在需要使用引号将密码包含生成新的主密钥之前,需要取消加密字段,关闭之前的主密钥
1. SQL> alter system set encryption wallet open identified by oracle123;
3.
4. SQL> alter table hr.t04315_a modify (a decrypt);
5. Table altered.
6.
7. SQL> select * from dba_encrypted_columns;
8. no rows selected
9.
10. 准备目录,修改sqlnet.ora文件
11. [oracle@rhel6 ~]$ mkdir -p $ORACLE_BASE/wallet/$ORACLE_SID
12. [oracle@rhel6 ~]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
13. ENCRYPTION_WALLET_LOCATION=
14. (SOURCE=(METHOD=FILE)(METHOD_DATA=(DIRECTORY=/u01/app/wallet/ora10g/)))
使用OWM工具产生ewallet.p12文件
[oracle@rhel6 ~]$ ls $ORACLE_BASE/wallet/$ORACLE_SID
ewallet.p12
使用密钥进行加密和解密,no salt代表不进行加密填充,索引字段的加密一般要使用no salt
1. SQL> alter system set encryption key identified by "oracle456";
2. System altered
3.
4. SQL> create table hr.t04315_b (a number encrypt using '3des168' no salt);
5. Table created.
6.
7. SQL> insert into hr.t04315_b values (1);
8. 1 row created.
9.
10. SQL> commit;
11. Commit complete.
12.
13. SQL> alter table hr.t04315_b modify (a encrypt salt);
14. Table altered.
15.
16. SQL> alter table hr.t04315_b modify (a decrypt);
17. Table altered.
18.
19. SQL> alter system set encryption wallet close;
20. System altered.
方法三:连接wallet,可以实现用户输入"conn /@connectstring"方式登录,注意区别外部用户验证方式,不能通TDE加密共存
准备目录,配置tns串和sqlnet.ora文件
1. [oracle@rhel6 ~]$ mkdir -p $ORACLE_BASE/connectwallet/$ORACLE_SID
2. [oracle@rhel6 ~]$ tail -n 8 /u01/app/oracle/network/admin/tnsnames.ora
3. HRUSERS =
4. (DESCRIPTION =
5. (ADDRESS = (PROTOCOL = TCP)(HOST = 192.168.50.4)(PORT = 1521))
6. (CONNECT_DATA =
7. (SERVER = DEDICATED)
8. (SERVICE_NAME = ora10g.766.com)
9. )
10. )
11.
12. [oracle@rhel6 ~]$ cat $ORACLE_HOME/network/admin/sqlnet.ora
13. SQLNET.WALLET_OVERRIDE=TRUE
14. WALLET_LOCATION=
15. (SOURCE=(METHOD=FILE)(METHOD_